Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

Why does splunkd_access.log burst events on our Unix universal forwarder for no reason, using up 17% CPU?

0

Hi,

I've set up a Unix universal forwarder to monitor text-based files on a system.I always thought forwarders have a small footprint, but my forwarder currently eats up 17% of the CPU of the machine it's installed on.

I checked everything and found something weird.Splunkd_access.log writes approx. 2 MB of data every second. Splunkd_access.log rolls about every two minutes.Splunk-Forwarder-Version: 6.4.1

2 Answers

The splunkd.log part is benign, just a sign of log rotation happening in splunkd_access.log.

The access logs suggest someone is trying to make the forwarder vote in a search head cluster captain election.That makes no sense whatsoever, make sure no SHC is configured with this machine as a member on top of what @muebel said.The client IP listed in the access log should be a good clue as to where to look for misconfiguration first.

Thank you muebel and martin_mueller for your suggestions.Martin is indeed right with his assumption. This machine was previously configured as part of a search head cluster. But splunk had been deleted since.

Anyway... I now ordered a complete wipe of the machine and a reset and then it should be all fine again.